Validation of CRL-related chains on clients that do not support CRL

crocs-muni / usable-cert-validation

Research initiative to make TLS certificate validation usable.

https://x509errors.org

MIT License

19 stars 3 forks source link

Validation of CRL-related chains on clients that do not support CRL #126

Open zacikpa opened 2 years ago

zacikpa commented 2 years ago

Currently, all clients validate CRL-related chains, but only the OpenSSL one supports CRL checking. This results in false mappings (see e.g. erroneous certificates for Botan error VERIFIED.

The steps should be as follows:

[ ] Disable the validation of these certs on all clients except OpenSSL (in vconfig.yml)
[ ] Implement CRL checking in the remaining clients and only then enable the validation

mukrop commented 2 years ago

I see the first point here as rather important.